Post navigation

The modern email threat. The simple plain text email appearing to come from the CEO asking the junior finance or accounts payable team member to immediately settle the overdue invoice from an irate supplier, that has just called them personally to complain.

Call it Business Email Compromise (BEC) or CEO Fraud, it’s still a targeted phishing attack, and the number of incidents has been rising steadily. Trend analysis here at CensorNet shows that these emails will soon account for 1% of all emails processed – or 1 in every 100 messages our customers receive.

Defending against this particular threat continues to be a major focus for the team, and an area of significant innovation and investment.

Whilst FBI Operation WireWire resulted in the arrest of 74 individuals in multiple countries last week – that still leaves plenty more Phish in the sea.

The problem with CEO fraud email messages is that they are notoriously difficult to detect.

In a recent attack, the only attribute of a message that was changed was the ‘Header From’ field. The display name in Outlook (other email clients are available) showed the CEO’s name.

(Note: Even the From address in < > next to the display name showed something similar to this email address – donotreply@executiveteeammailbox.com – which should have been enough to alert the user, but security education is not the topic of this blog post).

Nothing about the sender or sending server was suspicious. The IP address was not in any blacklist, the MX record was valid, the sending server matched domain and responded to an smtp probe. There was no SPF record.

We’re still undecided as to whether this makes the attacker super-smart or simple-stupid. The simplicity of the attack meant the message was likely to make it through most email defences, but would rely heavily on the recipient user being half asleep.

What this example does provide, is crystal clear evidence of the need for an ultra-modern and multi-layered approach to email security.

Traditional pattern matching / recurrent pattern matching technology is as much use as a chocolate teapot.

Content analysis – looking for message content that includes ‘urgent wire transfer’ or similar language can be effective but comes at a price. And that price is a risk of false positives – incorrectly identifying legitimate emails as ‘Suspect’.

Although, you could argue that quarantining the occasional message chasing payment of an invoice will help cash flow and is still better than inadvertently transferring $25,000 to an account in China or Hong Kong.

Algorithmic analysis is a powerful weapon in the arsenal for identifying scam emails, but even with over 1,000 algorithms examining over 130 elements of the message (in less than 200ms, about half the time it takes to blink), there was little (read nothing) to fire on in this case.

What was interesting about this particular attack was the domain that was used. It wasn’t a recently registered or new domain – it was almost a month old. It wasn’t a nearby domain (or cousin or typosquatting domain), so Levenshtein distance (one of our favourite algorithms due to its power and simplicity) wasn’t helpful. But. The registrant had a history of criminal activity – registering domains and using them in attacks – and that meant a high threat intelligence risk score.

What the attack also highlights is the need to identify the real names of key individuals in external emails – particularly in ‘Header From’. Building a list of names of the executive team and board members, and anyone else that’s an active spokesperson for the organization, and quarantining messages that contain those names, might not be sophisticated but is still a very valid defence.

As a last resort, some email security solutions rely on the user entering in to a conversation with the attacker – asking for more details about the outstanding invoice, or exactly what detailed (confidential or personal) information the sender needed – building up a risk score with each message exchange until a threshold is reached.

CensorNet invest in combining technologies and techniques that identify and block the initial inbound email. Tracking smtp conversations is still interesting. If a user receives an email from a sender for the first time that also contains potentially suspicious content, then a banner across the top of the email advising caution might just be enough to cause them to stop and think!

Ultimately a combination of content analysis, threat intelligence and executive name checking would have stopped this super-smart, simple-stupid attack. Is it time to think differently about email security.

Here at Network Utilities we offer a range of services and enhanced support from simple pen testing to 24/7/365 telephone support to fully managing your IT security. The aim is to remove the burden of niggling IT issues or staff shortages allowing you to focus on your critical projects and business objectives.

The financial implications of not being compliant are enormous let alone the reputational damage that comes with a data breach! Data moves throughout your organisation at an alarming rate and data privacy will affect all parts of your business.

We can provide you with practical, pragmatic advice on meeting and maintaining regulations such as GDPR and the incoming ePrivacy regulation enabling organisations like yours to meet regulatory obligations and business goals.

Watch our on demand webinar and get some key questions answered:

Will there be a grace period?

Who owns the risk when it comes to data in your organisation?

What is data portability?

What is a data protection officer?

Is it mandatory to have a data protection officer?

How and when do you obtain consent?

Will you need a Privacy Impact Assessment?

What actions should you take next?

Register here to join our next webinar in the series on the 12th September – Network Utilities Managed Security Services.

In 2016, the FBI estimated that ransomware attacks resulted in over $1 billion in income for cybercriminals*. Experts attribute the ransomware epidemic to people’s carelessness in clicking on phishing emails and infected advertisements.

Here are 10 things organisations should know about ransomware:

Ransomware was first reported in 1989

Ransomware doesn’t discriminate when it comes to platforms and devices

Ransomware can be distributed through various channels

Ransomware often goes undetected

Organisations should change their mindset from a reactive-based model to a prevention-oriented one

As threatening as ransomware sounds, damage can be avoided with increased user awareness coupled with the right security practices. Businesses need to be aware of the risks and take adequate precautions to minimize the impact in the event of an attack.

See Cylance in action for yourself? Register here to join our workshop at The Metal Box Factory in London on the 25th May and see the capabilities for yourself.

In July 2016 Network Utilities and EfficientIP announced their partnership agreement to provide UK based customers with EfficientIP DDI solutions and draw on Network Utilities’ recognised expertise in the market and expand EfficientIP’s existing partner network in the UK region. Both company’s solutions will help organisations in a variety of public and private industries – particularly telecom – to protect their critical applications from growing threats, as well as integrate advanced network infrastructure.

With new legislation coming into effect in May 2018, this is a critical time for all organisations to focus on the strength, resiliency, and intelligence of their networks to avoid data breaches and ensure GDPR compliance. Now is the time to start building a GDPR-compliant infrastructure and providing sufficient security at the DNS level can save companies huge amounts of money and help avoid unnecessary GDPR proceedings.

David Silsby, Network Utilities Sales Director, believes this continued partnership will be beneficial to prospects and customers: “This new GDPR legislation puts the responsibility on companies to make sure their networks are as secure as possible, which will mean much more than just protecting the companies data it means protecting the whole infrastructure. No one can afford to ignore GDPR and working together with EfficientIP, Network Utilities will be able to offer customers a more enhanced security offering.”

David Williamson, EfficientIP CEO, is also looking forward to a continued partnership: “The addition of Network Utilities to our partner group is key to bringing new adaptive security solutions to their customers. The past two years have seen a dramatic increase in cyber security attacks, and DNS has been confirmed as being a weak point of the network infrastructure. We have the solution for this in our 360° DNS Security, and Network Utilities has the expertise to apply it as part of their offering.”

Network Utilities will be hosting a webinar with Martin Wellsted from EfficientIP on the 3rd May. Register hereand find out more about DNS exfiltration and how to prevent the unauthorised transfer of data from your organization.